Athena Data Source using IAM role of machine Grafana is hosted on

Grafana Configuration
1
  • What Grafana version and what operating system are you using?

Grafana 9.3.2 on Ubuntu 18.04.4 LTS

  • What are you trying to achieve? | What happened?

I would like to configure AWS Athena as a Data Source using the IAM credentials of the machine Grafana is running on. I am not using AWS Managed Grafana.

  • How are you trying to achieve it?

Athena configuration as a data source on Grafana UI
Athena configuration as a data source on Grafana UI2882×1848 339 KB

  • What did you expect to happen?

I expected the data source to save without error.

  • Can you copy/paste the configuration(s) that you are having problems with?

Image of AWS data source configuration above. AWS IAM role for the machine running grafana is setup to use Amazon’s AmazonGrafanaAthenaAccess policy which includes the following relevant permission:

        {
            "Effect": "Allow",
            "Action": [
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetWorkGroup",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "Null": {
                    "aws:ResourceTag/GrafanaDataSource": "false"
                }
            }
        },

The ec2 instance which grafana is running on is configured to use this IAM role and contains the tag GrafanaDataSource: true

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

See above image.

2

Make sure that you have the correct region selected in the data source configuration in Grafana. If you are using a different region for Athena than the one that you have selected in Grafana, you may see an “access denied” error.

3

IMHO your EC2 instance profile is used to query Athena and not your IAM role. I would create dedicated role for Athena (BTW you will need more permissions: Amazon Athena plugin for Grafana | Grafana Labs) and use it in Assume Role ARN.

Anyway your AWS support will be able to give you more details, because from yur description is not clear how did you setup IAM roles, instance profiles, …